Ensuring Network Security When Working with Third Party Vendors: Part 2 of 2

Following up on my last post on ensuring network security when working with third party vendors, to wrap up the discussion, we must examine data access levels, your incident response plan and the concept of cyber-insurance. Having an understanding and a plan around all of these can help you mitigate weak links in your security chain.

• What Data are they Getting and how are they Getting It?
  As part of this process you need to find out what type of data is being sent to the vendor. Many times other parts of the business will not find an issue with sharing a database or giving all your client information to a third party, but you should. Be aware of what’s being sent to these vendors and limit the PII and credit card information from being sent over to them. The more you review here the less risk you’ll have going forward. You don’t want another company having credit card numbers and then losing them. Let’s find out up front what they’re asking for and determine the safest way to provide them with what they need. If they want more information than you think they really  need, you might want to choose another vendor, or at least ensuring  a secure method of access to what’s required. Once this has all been vetted, you need to determine how the data or access will be obtained by the third party vendor. You’re in control here and it’s up to you to determine the guidelines as to how your data will be sent over to a third party, or how that third party will access your network.

• • Network segmentation folks.  When accessing your network, there should be a separate segment for vendors. If a vendor needs to access your network for some reason, treat this access like a DMZ. You have a separate firewall with monitoring enabled looking for suspicious and malicious traffic. They should only be accessing your network via a VPN with some sort of two-factor authentication in place. Monitor the accounts being used and verify that the passwords are long enough that a dictionary attack isn’t going to catch them, normally stay around 15+ for the character limit.
  • In terms of data transfer, don’t allow any data transferred via an insecure protocol. Many vendors still ask to have data transferred via FTP and this should be stopped. If you’re still using FTP to accept data as a vendor the probability that you’re not following other basic security practices is high. Always have a secure method of transmission for your data while it’s being sent, remember it’s your data.
  • Make sure that the data being sent is encrypted so that if the vendor’s storage was compromised or not secured appropriately, it will be encrypted-at-rest. This might sound like I’m being paranoid, but this is the lifeblood of your organization and you don’t want this falling into the wrong hands.

• Incident Response Plan
  Now that you’ve vetted the vendor, determined what data they need and how it’s going to be transferred, you need to start thinking about worse case scenarios. If you’ve done all of the above, you’ve done your homework and due diligence to protect your data. Even so, there’s always the possibility that data is going to be lost or stolen. Knowing that this is always a possibility you need to come up with incident response plan focused around your third party vendors. Bring in all areas of the business and live your nightmare [insert from Red Team drills article]. If you have a security breach you need to be prepared to work with this vendor to coordinate what happened to your data, who must be involved and what steps need to be taken. Having role played this before an incident with the proper people understanding their role and appropriate documentation created will help get a jump on controlling the incident… before the incident controls you. You can even speak with the vendors themselves about your plan and what you expect from them during an incident where they’ve lost your data or access. The more planning the better.

• Cyber-insurance
  So you’ve done everything here and realized that you still had a breach. The IR planning went well and you were able to contain the incident quickly, but you still lost a great deal of money. This is where Cyber-insurance comes into play. Having purchased insurance before a breach occurs can save your organization millions of dollars in lost revenue. Just like any other insurance, it doesn’t really pay until you need it. It might be a hard sell to some businesses, but in the long run if you have millions, or even billions, of dollars at stake, it’s going to be beneficial for you to purchase some type of insurance. This will not help with the reputation damage that will occur from a breach, but it will assist with keeping some of the cost down.

Overall, working with third party vendors is inevitable, but limiting the risk while working with them is our responsibility. We need to be able to sign off on the vendors that we’re working with, giving access to our data or even our network. They will never be trusted, but they’re needed to keep our business working or gaining strategic growth. It’s our job to allow this to happen and make sure it’s done securely. We don’t want someone yelling “And you’re the weakest link!! Goodbye!!” to us as we see our networks, data and reputation pillaged.